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is  is  the  final  report  for  the  ARPA  Contract  number  DAHC  15-73-C-3368  at 
UCLA  covering  the  period  from  June  15,  1973  to  November  30,  1975.  During 
this  contract  period  we  have  been  engaged  in  the  following  tdsks:  providing 

a sophisticated  network  measurement  facility  adequate  for  a variety  of  uses 
such  as  performance  measurement,  model  validation,  and  the  design  of  network 
algorithms;  conducting  experiments  on  the  network  to  analyze  the  effect  of  - *\ 
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^transmitting  various  data  sources;  defining  and  extending  the  tools  necessary 
to  analyze  and  evaluate  the  performance  of  computer  communication  systems; 
developing  models  of  multiple  resource  systems  and  computer  networks;  studying 
packet  communication  systems  that  incorporate  satellite  and/or  radio  commun- 
ications; and  designing  and  beginning  implementation  of  a verifiably  secure 
operating  system  for  the  PDP  11/45.  Included  is  a short  statement  of  accom- 
plishments followed  by  a complete  bibliography  of  published  works  which  were 
supported  under  this  research  contract. 
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This  final  report  covers  the  period  from  June  15,  1973  to 
November  30,  1975  for  ARPA  contract  number  DAHC  15-73-C-0368 . The 
research  conducted  during  this  period  has  been  amply  reported  in  our 
Semi-Annual  Technical  Reports  as  well  as  in  the  published  literature. 
Consequently,  the  format  of  this  final  report  is  quite  simple  and 
brief  as  was  the  final  technical  report  for  ARPA  DAHC  15-69-C-0285 . 

In  the  next  few  paragraphs  we  discuss  the  major  areas  of  research  and 
the  principal  results  which  have  been  obtained  therein.  The  technical 
contents  of  the  results  of  this  research  are  not  discussed  in  detail 
here,  but  rather  the  reader  is  referred  to  the  extensive  bibliography 
of  entries,  all  of  which  were  supported  by  this  ARPA  Contract.  The 
research  in  many  of  these  areas  continues  and  is  currently  being 
supported  on  a coi  -.inuation  of  ARPA  contract  DAHC  15-73-C-0368 . 

During  this  contract  period  we  have  been  engaged  in  the  six 
tasks  listed  below: 

Task  1:  Provide  a sophisticated  network  measurement  facility 

adequate  for  a variety  of  uses  such  as  performance 
measurement,  model  validation,  and  the  design  of 
network  algorithms. 

Task  2:  Conduct  experiments  on  the  network  to  analyze  the  effect 

of  transmitting  various  data  sources. 

Task  3:  Define  and  extend  the  tools  necessary  to  analyze  and 

evaluate  the  performance  of  computer  communication 
systems . 

Task  4:  Develop  models  of  multiple  resource  systems  and 

computer  networks. 

Task  5:  Study  packet  communication  systems  that  incorporate 

satellite  and/or  radio  communications. 

Task  6:  Design  and  begin  implementation  of  a verifiably  secure 

operating  system  for  the  PDP  11/45. 


These  tasks  have  all  advanced  significantly  during  this  period. 

The  output  of  this  research  has  appeared  in  the  form  of  three  Ph.D.  and 
three  Master's  theses  as  well  as  43  publications  of  the  principal  faculty, 
staff  and  students  which  have  appeared  in  the  professional  literature. 

These  publications  are  listed  in  the  bibliography  below.  That  bibliography 
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and  the  research  areas  are  grouped  as  follows: 

(1)  Analytic  Models  of  Computer  Systems 

(2)  Analytic  Models  and  Design  Methods  for  Computer  Communication 
Networks 

(3)  Measurements  of  Computer  Communication  Systems 

(4)  Packet  Switching  for  Satellite  Communications 

(5)  Packet  Switching  for  Ground  Radio  Communications 

(6)  Computer  Systems  and  Security 

In  the  field  of  analytic  models  of  computer  systems,  we  have 
made  major  progress  in  the  modeling  of  multiple-resource  models  of 
operating  systems.  We  are  now  capable  of  identifying  system  bottle- 
necks, calculating  throughput  and  delay  and  suggesting  system  configura- 
t on.  This  work  is  based  on  queueing  network  models  of  multiple  resource 
operating  systems.  We  have  been  able  to  gernalize  these  models  to  include 
much  of  the  realistic  behavior  of  these  systems.  The  costly  errors  of  the 
past  need  no  longer  be  made,  and  intelligent  design  can  now  be  done.  The 
cost-effectiveness  of  proposed  design  options  and  changes  can  now  be 
evaluated . 

In  the  field  of  analytic  models  and  design  methods  for  computer 
communication  networks  we  have  made  significant  progress  in  the  optimal  allo- 
cation of  capacity  of  distributed  computer  networks,  specifically  in  the 
case  where  channel  capacities  must  be  drawn  from  a discrete  set.  This  is 
an  important  result  in  a realistic  problem  in  computer  network  design;  the 
solution  in  this  case  is  important.  We  have  further  identified  some  of  the 
key  issues  and  challenges  in  computer  networks  and  have  laid  out  the  path  of 
research  for  many  years  to  come.  We  have  also  made  progress  in  the  use  of 
algorithmic  methods  in  combinatorally  complex  problems  which  are  needed  in 
computer  systems  analysis.  We  have  extended  the  algorithm  for  finding 
minimal  spanning  trees  in  networks  which  considerably  reduces  the  cost  of 
running  the  algorithm.  We  have  proven  that  there  are  very  significant  gain*; 
to  be  had  with  large  shared  systems.  This  has  been  demonstrated  mathematically 
for  a reasonably  broad  class  of  systems  and  we  are  currently  extending  that 
class.  In  particular,  we  have  shown  that  as  one  scales  up  the  system 
capacity  and  the  throughput  of  any  finite-capacity  system,  then  the  delay 
in  passing  through  that  system  decreases  by  the  same  scale  factor.  We  have 
shown  this  as  a bound  for  general  systems  and  as  an  exact  result  for  more 
specific  systems.  The  significance  here  is  on  the  design  of  processing  and 
communication  systems.  "Bigger  is  better"  seems  to  be  the  message  when  the 
question  is  posed  correctly.  The  exact  form  of  these  results  and  their 
impact  on  system  design  will  bring  considerable  light  to  cost-effective 
system  design. 

Our  measurement  of  computer  communication  networks  has  been  fruitful 
and  has  exposed  many  interesting  phenomena.  As  a result  of  our  activities 
as  the  Network  Measurement  Center  (NMC) , we  have  predicted  and/or  observed 
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numerous  and  serious  deficiencies  with  the  ARPANET  throughput,  i.e., 
network  deadlocks  and  degradation.  We  predicted  the  "piggyback  alljca'e  " 
deadlock  condition  by  examining  the  IMPSYS  code  and  provided  a solution  to 
it  which  RBN  has  implemented.  The  famous  "Christmas  deadlock"  was  exposed 
as  a result  of  experiments  performed  by  the  NMC;  this  deadlock  occurred 
due  to  a lack  of  pointers  to  allocated  buffers  in  the  destination  IMP  and 
has  since  been  corrected.  As  a result  of  our  packetized  speech  experiments 
in  which  we  measured  single-packet  throughput,  we  identified  serious 
degradation  due  to  out-of-order  packets  in  the  data  stream.  Furthermore, 
we  identified  the  source  of  unacceptably  long  delays  as  being  due  to  per- 
sistent looping  caused  by  the  routing  procedure;  we  have  found  a loop-free 
solution  to  this  problem.  Analysis  and  measurements  of  the  effect  of 
network  overhead  on  the  performance  as  seen  by  the  user  have  been  conducted. 

We  find  that  what  appear  to  be  harmless  options  offered  to  the  system 
implementers  can  have  significant  effects  on  network  performance.  We  have 
identified  a number  of  these  and  have  pointed  out  how  they  should  be 
restricted  in  order  that  really  major  improvements  (one  to  two  orders  of 
magnitude)  in  network  throughput  be  achieved.  The  overhead  on  the 
communication  lines  due  to  the  various  levels  of  protocol  have  been  found 
to  have  profound  effects  on  throughput.  The  whole  mechanism  of  allocating 
buffer  space  in  the  destination  HOST  and  in  the  destination  IMP  must  be 
very  carefully  examined.  We  find  that  the  maximum  line  efficiency  is 
roughly  80%  under  the  most  ideal  conditions,  and  that  it  is  as  low  as  1% 
under  very  common  conditions.  If  the  current  traffic  patterns  continue, 
then  we  can  obtain  only  20-25%  line  efficiency  in  the  ARPANET. 

The  exciting  area  of  packet  switching  for  satellite  communications 
as  well  as  ground  radio  communications  is  a new  and  rapidly  growing  field 
of  investigation.  We  have  been  successful  in  evaluating  the  performance 
of  packet  switching  in  satellite  communication  systems  and  also  in  ground 
radio  systems.  The  slotted  ALOHA  analysis  is  quite  advanced  and  now  pro- 
vides a classical  model  for  system  analysis.  We  have  analyzed  the  basic 
unstable  behavior  of  slotted  ALOHA  in  the  infinite  population  case,  and 
have  defined  and  analyzed  the  stable  and  unstable  modes  in  the  finite 
population  case.  In  the  latter  situation,  we  have  calculated  the  average 
time  until  the  system  goes  unstable.  Further,  we  have  found  OPTIMAL  con- 
trol policies  which  render  these  (unstable)  channels  stable.  Realistic 
estimation  and  heuristic  procedures  have  been  developed  which  allow  a 
practical  implementation  of  these  control  procedures  and  they  have  been 
shown  to  be  quite  effective  in  the  throughput-delay-stability  tradeoff. 

The  carrier  sense  access  mode  for  ground  radio  has  been  completely  anal  * ' d 
in  the  single  hop  case;  that  access  mode  has  been  shown  to  be  superior  to 
slotted  ALOHA.  The  serious  problem  of  hidden  terminals  has  been  analyzed 
and  the  busy-tone  solution  to  this  problem  has  been  shown  to  yield  performance 
which  is  only  slightly  degraded  as  compared  to  a system  with  no  hidden  terminals. 
Furthermore,  a reservation  scheme  for  using  the  ground  radio  channel  has  been 
suggested  and  analyzed  and  appears  to  offer  significant  advantages  over  an 
important  operating  range.  These  random  access  modes  offer  distinct  advan- 
tages over  the  more  classical  access  modes  when  the  traffic  is  bursty  (as 
with  terminal  traffic  and  other  interactive  traffic) . With  the  simple 
slotted  ALOHA  method  as  compared  to  the  classical  FDM  methods,  we  find  that 
we  can  reduce  the  required  bandwidth  and/or  increase  the  number  of  users 
and/or  reduce  the  delay  over  a wide  range  of  system  parameter  choices;  these 
advantages  are  even  greater  with  the  use  of  carrier  sense. 
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In  the  field  of  principles  of  secure  computing,  a number  of  results 
have  been  obtained.  The  bulk  of  that  work  falls  into  three  major  cate- 
gones : security  design  principles,  security  verification  and  cert ifxcati°n, 

and  prototype  development.  The  majority  of  the  design  principles  ccncem 
operating  system  structures.  Strong  evidence  has  been  developeo  wh  ch 
argues  that  the  traditional  practices  of  placing  supervisor  code  in  o user 
tasks,  as  well  as  locating  virtual  memory  support  at  lowest  system  levels 
are  design  flaws  with  respect  to  security.  The  simplifications  Pr°^d  ^ 
virtual  machine  designs  are  now  reasonably  apparent  Progress  has  keen  made 
in  developing  greatly  simplified  approaches  to  I/O  handling,  usually 
the  most  serious  sources  of  security  flaws.  Subtle,  generic  communication 
paths  in  systems  have  been  identified.  In  addition,  the  general  principle 
of  "least  common  mechanism"  was  developed  and  illustrated.  Work  on  veri 
cation  and  validation  of  security  software  has  now  progressed  to  the  point 
where  it  is  clear  that  the  approach  is  viable.  Security  assertions,  which 
precisely  define  the  notion  of  data  security,  have  been  specified.  The 
first  pass  at  a semantic  model  of  the  security  kernel,  in  which  tne  detailed 
proof  takes  place,  has  been  completed,  and  work  on  the  actual  proofs  as 
begun.  Pitfalls  and  inadequacies  in  standard  verification  strategies  have 
been  found  and  extensions  to  those  methods  outlined.  Considerable  prototyp 
development  has  already  occurred,  and  that  development  has  been  successful 
in  motivating  a number  of  results  described  above.  The  design  of  a complete, 
practical,  verifiable  security  kernel  has  been  completed.  Parts  of  that 
kernel  code  are  now  debugged  and  running.  Design  of  the  - 

monitor,  which  runs  over  the  kernel,  is  also  complete,  Substantial  P0^1™! 
of  that  prototype  software  are  also  debugged.  Operating  systems  such  as  ANT 
and  DEC  standard  release  DOS  have  already  been  successfully  run  in  virtual 
machine  environments. 

Tn  summary  then,  we  offer  as  the  final  measure  of  our  achievements 
during  thirconiract  period,  the  publications  list  below.  This  bibliography 
consists  of  43  papers!  three  Master’s  theses  and  thre£  Ph.D.  dissertations. 
In  addition,  tJo  major  books  have  been  published  which  are  based  in  par.,  on 
the  research  conducted  on  this  contract. 
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ANALYTIC  MODELS  OF  COMPUTER  SYSTEMS 


Kleitman,  I).  and  M.  M.  Kneger,  "An  Optimal  Bound  for  Two- 
Dimensional  Bin  Packing,"  sponsored  by  the  IEEE  Compiiter  Socte  y 
Technical  Committee  on  Mathematical  Foundations  of  Computing 
cooperation  with  the  ACM  Special  Interest  Group  for  Automata  and 
Computability,  Theory  and  the  Department  of  Electrical  Engineeri  g 
and  Computer  Sciences,  The  University  of  California,  Berkeley, 

October  1975. 

Muntz  R.  R.  and  J.  N.  Wong,  "An  Efficient  Computational  Procedure 
for  Queueing  Network  Models,"  Proceedings  of  the  Seventh  Haw^j. 
International  Conference  on  System  Sciences,  University  of  Hawaii, 

Honolulu,  Hawaii,  January  1974,  pp.  33-36* 

Muntz,  R.  R.,  "Analytic  Models  for  Computer  System  Performance 
Analysis  " Lecture  Notes  in  Computer  Science  No.  8,  Fachtagung 
Struktur  und  Betrieb  von  Rechensystemen , University  of  Braunschweig, 
Braunschweig,  Germany,  March  1974,  pp.  246-265. 

Muntz  R R and  H.  Opderbeck,  "Stack  Replacement  Algorithms  for 
Two-Level  Directly  Addressable  Paged  Memories  " Si  AM  Journal,  of 
Computing,  Vol . 3,  No.  1,  March  1974,  pp.  11-22. 

Mi  mi*  7 u R and  J Wong,  "Asymptotic  Properties  of  Closed  Queueing 
Network  Models,"  Proceedings  of  the  Eighth  Annual  Princeton  Conference 
nn^nformnt ion  Sciences  anS  Systems,  PHnceton  »nzver,.ty,  Princeton,- 
New  Jersey,  March  1974,  pp.  348-352. 

Muntz,  it.  R.  and  F.  Baskett , "Open,  Closed  and  Mixed  Networks  of  ^ ^ 
Queues  with  Different  Classes  of  Customers,  JACM,  April  , PP- 
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♦ Cantor,  D.  G.  and  M.  C.erla,  "Capacity  Allocation  in  Distributed 

Computer  Networks,"  Proceedings  of  the  Seventh  Hawaii  International 
Conference  on  System  Sciences,  University  of  Hawaii,  Honolulu, 

Hawaii,  January  1974,  pp.  115-117. 

Cantor,  D.  G.  and  M.  Gerla,  "Optimal  Routing  in  a Packet -Switched 
f Computer  Network,"  IEEE  Transactions  on  Computers,  Vol  C-23, 

October  1974,  pp.  1062-1069. 

Chu,  W.  W. , "Dynamic  Buffer  Management  for  Computer  Communications," 
Proceedings  of  the  Third  Data  Communication  Symposium,  St.  Petersburg, 

Florida,  November  1973,  pp.  68-72. 

f 

DeWitt,  H.  and  M.  M.  Krieger,  "An  Efficient  Algorithm  for  Computing 
the  Minimal  Spanning  Tree  of  a Graph  in  a Euclidean-Like  Space," 

Proceedings  of  the  Eighth  Hawaii  International  Conference  on 

System  Sciences,  University  of  Hawaii,  Honolulu,  Hawaii,  January  1975, 

pp.  253-255. 

r 

Kle inrock,  L.,  "Challenging  Problems  in  the  Design  of  Computer- 
Communication  Networks,"  Proceedings  of  the  XX  International  Meeting 
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Kleinrock,  L.,  "Scheduling,  Queueing  and  Delays  in  Time-Shared  Systems 
and  Computer  Networks,"  in  Computer-Communication  Networks,  N.  Abramson 
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Kleinrock,  L.,  "Resource  Allocation  in  Computer  Systems  and  Computer- 
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